Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Microsoft Edge imports other browsers’ passwords
AskWoody ^ | 12 July 2021 | Brian Livingston

Posted on 07/12/2021 11:30:18 AM PDT by ShadowAce

When some readers installed the new Microsoft Edge browser — which replaces the old “legacy Edge” — they got a big surprise. They discovered that Edge had somehow magically absorbed all the usernames and passwords they’d carefully saved in their previously installed browsers, such as Chrome, Firefox, Internet Explorer, and legacy Edge.

What’s even more surprising is that Edge — which until recently couldn’t import or export passwords at all — may be doing this new behavior by design.

The bad news is that you shouldn’t store passwords in Edge in the first place — or in any browser, really. This may allow other programs, including malware, to read passwords that are stored in machine-readable files. Please read on.

Install the new Edge, and it immediately knows all your passwords?

The password-vacuuming behavior described above occurred because of the following sequence of events, according to one reader:

Figure 1 shows the dialog box the reader photographed with his phone. This yes-no query might be named “May I import the passwords from Edge that you didn’t know Edge already had a copy of?”

Firefox can import passwords from Edge
Figure 1. When Edge was installed, it copied the passwords that had been stored by an existing instance of Firefox, a reader claims. When a new version of Firefox was installed without copying any passwords, it asked the user whether it should sign in to sites such as Social Security by importing login credentials from Edge. (I’ve highlighted Firefox’s request with an orange box.)  Source: Screen shot from reader’s smartphone

Other users have reported a similar sequence of events involving Edge and Chrome browser. In August, one poster said on the official Microsoft Answers forum for Edge:

I have no idea how this happened, but after updating my computer, Microsoft Edge opens up, which is normal I suppose, but they got my Google Chrome passwords and bookmarks without my consent …

Moderators quickly responded that Edge importing Chrome’s stored passwords without user approval “wasn’t very likely.” Edge is supposed to present the dialog box shown in Figure 2, asking whether to import or not import.

Figure 2
Figure 2. When Edge is installed, it’s supposed to present the user with a dialog box asking whether it can import saved passwords from whichever browser the user had previously used the most.  Source: Microsoft Answers page

The history of Edge’s and other browsers’ stored passwords is a bit hard to follow. As recently as June 2020, users complained that Edge had an “export passwords” function but no ability to import passwords from other browsers at all.

Much later, on April 21, 2021 — just three months ago — users began reporting in Microsoft Answers posts that Edge had gained an import feature, but only in a private Insider Channels build and then only if a special command line were entered.

A long article, updated by a Microsoft Ambassador, finally describes on July 2 all
the ins and outs of how Edge stores and manages passwords.

Separately, an undated and unsigned Microsoft support document explains the rules Edge follows when it decides whether to copy a previously installed browser’s saved passwords:

Whew! That’s a lot to take in. But you don’t need to remember all of the above. All you need to remember is that most browsers store your saved passwords in an unsecure way that malware can silently copy and send to a hacker’s server.

Without a master password, storing your passwords is a bad idea

I urged my readers to establish a “master password” way back in a November 23, 2004, article, which remarkably is still online. Back then, the exciting new browser was Firefox 1.0. It was the only browser that allowed you to enter an overall string that would encrypt your saved passwords, protecting them from snoopy co-workers and hidden malware. IE certainly couldn’t protect you.

I can’t believe that almost 17 years later I still need to ask people to do this. Browsers should encrypt your saved passwords by default. But most don’t.

The German Federal Office for Information Security (BSI, in German) audited Edge 44, IE 11, Chrome 76, and Firefox 68 in September 2019. Firefox was the only browser that supported a master password. (Mozilla now calls this the “primary password.”) Chrome and Edge also lacked an option to block telemetry collection and provide organizational transparency.

As a result, BSI recommended that German agencies and businesses use only Firefox. For more information, see a ZDNet article and a Forbes summary.

As recently as April 9, 2021, a poster at the Microsoft Tech Community forum announced that a master-password feature had been spotted in a beta version of Edge. However, it’s only a “controlled feature,” meaning it’s not yet in wide distribution.

As of July 6, Microsoft’s official feature roadmap for Edge said: “Require authentication before auto-filling passwords.” The target date was given as April 2021, but the status of this feature was still described as “in development.”

I asked Microsoft officials how Edge handles saved passwords from other browsers. According to Microsoft, “Microsoft Edge does not directly pop-up or autofill data from other browsers. Instead, customers have the option to import their browsing data from other browsers to Microsoft Edge based on their interest and consent.”

Regarding reports that Edge had copied saved-password files from Chrome and Firefox without user approval, Microsoft’s statement said this: “The Edge password import feature is now enabled by default in all Microsoft Edge Channels. It can be found on the edge://settings/passwords page inside the Overflow Menu of the Saved Passwords table. Microsoft is looking into the reports you shared and monitoring feedback to improve customer password import experiences.”

There’s good news on whether Edge will soon allow users to enter a master password that would encrypt any username/password combinations that Edge saves. “Microsoft will offer this functionality closer to end of July. If you are on a shared device or have left your computer unlocked, you can opt to add a second verification using your device password to avoid others accessing your website credentials or auto-fill data.”

The statement added: “For more information on Microsoft Edge’s encryption method, please see this support doc: Microsoft Edge password manager security.”

When someone who really knows what Edge is doing with passwords becomes available, I’ll write more about it in this space.

That Microsoft support document states: “Microsoft security baselines recommend disabling the password manager.” The reason is that a computer worm that compromises a network of PCs could obtain all the passwords stored by every browser on the network.

For all the above reasons, I’m going to tell you now not to store passwords in browsers at all.

Storing passwords in your browser was never a good idea

Despite the precautions browsers may take, your usernames and passwords are prime targets for hackers. Your stored credentials may include the keys to your bank account, your credit union, your credit cards, and more.

The Mitre Att&ck website lists in Document T1555.003 more than 70 attack vectors that are currently circulating to scrape your passwords out of whatever files various browsers store them in. The security group also lists numerous exploits that hack into the old Windows Credential Manager and even some password managers, such as KeePass.

Do you think your PC could never become silently infected by malware?

Don’t be so sure.

People who downloaded a completely legitimate, open-source video transcoder, HandBrake, learned only later that its server had been hacked. Installing the video app silently inserted OSX/Proton, a Trojan horse that was designed to infect Macs. The developer warned customers in a Web posting that half of all their downloads between May 2 and 6, 2017, had contained the malware, according to an Objective-See blog post.

More recently, viruses have emerged that constantly monitor the Windows Clipboard. This could lead to many nefarious acts, but the so-called Clipboard Wallet Hijacker watches for transactions that move digital currency from one of your wallets to another. If this occurs, the malware changes the destination from your crypto account to its own. The security firm 360 Total Security has detected this silent robber on more than 300,000 computers, according to a July 1 Laptop Mag article.

The solution is to install a serious password manager

As a first step to protect yourself, you should turn off all of your browsers’ capabilities to store usernames and passwords. Then delete any credentials it stored. Edge has a simple check-box to do this if you select Settings, Profiles, Passwords, as I explained in my May 17 column.

There are many good password managers, but in that same column I noted that 1Password is the top choice of CNET, Wirecutter, Wired, and several other test sites. It’s not free, costing $3/month for a single user or $5/month for five people. But 1Password is worth it for its support of industry standards and two-factor authentication (2FA) using small USB fobs as well as the MS Authenticator and Authy mobile apps.

Password managers can help you enter passwords into apps that aren’t websites and don’t use a browser. For instance, you may have programs that connect you to sensitive services without there being any webpage to sign in on.

Until a better system than usernames and passwords catches on, we all need to secure these valuable little character strings as best we can.


TOPICS: Computers/Internet
KEYWORDS: browser; cycbersecurity; edge; microsoft; passwords; windowspinglist
Navigation: use the links below to view more comments.
first 1-2021-4041 next last

1 posted on 07/12/2021 11:30:18 AM PDT by ShadowAce
[ Post Reply | Private Reply | View Replies]

To: rdb3; JosephW; martin_fierro; Still Thinking; zeugma; Vinnie; ironman; Egon; raybbr; AFreeBird; ...

2 posted on 07/12/2021 11:30:55 AM PDT by ShadowAce (Linux - The Ultimate Windows Service Pack )
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

Import, export, what’s the difference?


3 posted on 07/12/2021 11:32:26 AM PDT by Sirius Lee (They intend to murder us. Prep if you want to live and live like you are prepping for eternal life)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

I am curious what experiences anyone here has with password managers and can make any recommendations

How to use them and whether I should keep a record of my regular passwords anyway or do they become obsolete? Also how to manage them across devices


4 posted on 07/12/2021 11:33:13 AM PDT by A_Former_Democrat (#LeaveTheGOP. Pass it on Liberty Valance Time. The point of a gun is the only law they understan)
[ Post Reply | Private Reply | To 1 | View Replies]

To: A_Former_Democrat

LastPass


5 posted on 07/12/2021 11:34:43 AM PDT by VastRWCon (Fake News")
[ Post Reply | Private Reply | To 4 | View Replies]

To: ShadowAce
Whether they ASK or not is of little matter when it is being revealed that software CAN read your login credentials and saved passwords. That's the big takeaway. If they can do it, how possible is it for others to (without asking)?
6 posted on 07/12/2021 11:34:46 AM PDT by a fool in paradise (Lean on Joe Biden to follow Donald Trump's example and donate his annual salary to charity.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

You should never store your passwords on a PC!
Use a thumb drive/Memory stick to store and edit them.


7 posted on 07/12/2021 11:36:34 AM PDT by Keen-Minded
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

If I go to facebook, firefox offers to sign me in with email and saved password as my wife or daughter, neither of who have ever been on this PC.


8 posted on 07/12/2021 11:37:45 AM PDT by Pollard
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

My Microsoft browser gets used once. That is when I download a different browser.


9 posted on 07/12/2021 11:38:41 AM PDT by ConservativeInPA (“When injustice becomes law, resistance becomes duty.” ― Thomas Jefferson)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Keen-Minded

I made my own encryption/decryption text editor program to store my passwords. Not saying my stuff is the kind of thing you want protecting our nuclear arsenal. But it being made from scratch makes it untouchable by the hack tools meant to hack into stuff that’s on many people’s computers.


10 posted on 07/12/2021 11:39:56 AM PDT by Tell It Right (1st Thessalonians 5:21 -- Put everything to the test, hold fast to that which is true.)
[ Post Reply | Private Reply | To 7 | View Replies]

To: ShadowAce

Microsoft sucks.

Microsoft Edge, sucks more.

Bill Gates interviewed?

Is the Vaccine Safe? Bill Gates’s answer??
https://media.8kun.top/file_store/23e87634e3fc57457c6af9af6b396b0b01a32992fb0bbfbb669a7c78d9612846.mp4

NOW, are you convinced?


11 posted on 07/12/2021 11:50:23 AM PDT by Texas Fossil ((Texas is not where you were born, but a Free State of Heart, Mind & Attitude!))
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

The penguins gif is GREAT!

Thank you.


12 posted on 07/12/2021 11:52:35 AM PDT by Texas Fossil ((Texas is not where you were born, but a Free State of Heart, Mind & Attitude!))
[ Post Reply | Private Reply | To 2 | View Replies]

To: A_Former_Democrat

I was using Avast Passwords, but they don’t have a family version and seem to be discontinuing the product. They were also caught selling user data.

So, I switched to LastPass. It allows me to share some passwords, gives family members separate accounts and covers 6 devices: my PC, wife’s PC, shared laptop, tablet and both of our phones. They have a 30 day trial, then it’s $48/Yr. Export a copy of your password file once every few months and encrypt it or put it in your safe so you have a backup.

I would never trust a browser to store my passwords. Apple, maybe. Google? Microsoft? NFW. I would also not trust a “free” option. As they say, when something is “free”, YOU are the product.


13 posted on 07/12/2021 11:52:58 AM PDT by ETCM
[ Post Reply | Private Reply | To 4 | View Replies]

To: A_Former_Democrat

I just let google recommend and store passwords for my phones and laptops for most sites. Except for financials which I simply write down and do not store.

Email account passwords are changed every month manually.


14 posted on 07/12/2021 11:59:03 AM PDT by phoneman08 (qwiyrqweopigradfdz oncm,.dadfjl,dz )
[ Post Reply | Private Reply | To 4 | View Replies]

To: ShadowAce

After Microsoft promised that they would abandon my Win7 machine to its fate, and the deadlines passed, they pushed an update that included Edge. So my Edge-free computer (which had 5 other browsers for various purposes, and didn’t need another) was suddenly infected with Edge.


15 posted on 07/12/2021 12:07:18 PM PDT by PAR35
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

Yikes.


16 posted on 07/12/2021 12:11:55 PM PDT by grey_whiskers (The opinions are solely those of the author and are subject to change with out notice.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

bmp


17 posted on 07/12/2021 12:13:22 PM PDT by gattaca ("Government's first duty is to protect the people, not run their lives." Ronald Reagan)
[ Post Reply | Private Reply | To 1 | View Replies]

To: A_Former_Democrat

I used to use Dashlane, but I discovered it was inserting garbage javascript code into edit boxes on a webpage. Totally unacceptable, it’s a known problem yet they won’t fix it.

I am using Bitwarden, and I like it.


18 posted on 07/12/2021 12:21:43 PM PDT by Fresh Wind (Der Impfstoff macht frei.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: a fool in paradise

Firefox and Chrome which Edge is based on are all open source so why wouldn’t they be able to import credentials from each other?


19 posted on 07/12/2021 12:26:34 PM PDT by newzjunkey (America First - bring on Giant Meteor in 2021)
[ Post Reply | Private Reply | To 6 | View Replies]

To: ShadowAce
The solution is to install a serious password manager

I suppose the real question is how do you trust the password manager you've chosen to use?

It would be the honeypot of all honeypots for someone like the CIA or NSA to offer a password manager software app, then be able to create a global database of usernames and passwords for its own internal use.

I mean, its not as if the CIA hasn't done this sort of thing in the past.

https://www.forbes.com/sites/daveywinder/2020/02/12/cia-secretly-bought-global-encryption-provider-built-backdoors-spied-on-100-foreign-governments/?sh=261053ef580a

20 posted on 07/12/2021 12:28:11 PM PDT by Yo-Yo (is the /sarc tag really necessary?)
[ Post Reply | Private Reply | To 1 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-4041 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson